Overview

overview

10

Static

static

3

daae9ef556...9d.dll

windows7-x64

10

daae9ef556...9d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll

  • Size

    964KB

  • MD5

    0dfedfa7857af79c50d589c2dc966f39

  • SHA1

    f60eb9042e405ccc3065b64cbae1e8f069c85edc

  • SHA256

    daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d

  • SHA512

    1821ce0b21df31b09011fe9852b10de17fd0c440ba861cbec712206c6a9663a5d49302acb70cff9d79cd532a18feb0dffe179253ee9f49156f479de43ea37ebf

  • SSDEEP

    12288:xfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4skZIy:RdAE81W381Wk8jnYz3dsPEb4s9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2420
  • C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msconfig.exe
    1⤵
      PID:2896
    • C:\Users\Admin\AppData\Local\U1uf\msconfig.exe
      C:\Users\Admin\AppData\Local\U1uf\msconfig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:1828
      • C:\Users\Admin\AppData\Local\0jhS7f\dpnsvr.exe
        C:\Users\Admin\AppData\Local\0jhS7f\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3052
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1088
        • C:\Users\Admin\AppData\Local\r8L3S7Kr\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\r8L3S7Kr\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0jhS7f\WINMM.dll
          Filesize

          972KB

          MD5

          2dd7a5b9e0622945e27ea3a36470a920

          SHA1

          8bfad65483101b23d30b258899326afb2ddbafa8

          SHA256

          95b8a01fa91b9ce3f0eb87d8663e9a430e3483dfd37d346fa16f06821849f754

          SHA512

          fb324a8dd5b70e41bec66a2c3cf0cffa845ce49fa91317efb75a6176df75ada4a7f2a1409acd34b8cf0461e260975a1e7aa99d2b75e12d885361c2a6a8d1a537

          Download Submit

        • C:\Users\Admin\AppData\Local\0jhS7f\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • C:\Users\Admin\AppData\Local\U1uf\VERSION.dll
          Filesize

          968KB

          MD5

          797592a888c990514baa8284eab3ebfd

          SHA1

          117263ea16c1a2fb3980c352148a822149cc5c4d

          SHA256

          2fdcf3df797ff058afe5312d057d1b67a68fbb45edaf3d2cf8a4d0a511481ac9

          SHA512

          fa5b5a04f0fe35959929b9f215e3600372299444eaed2266ceaaa056a4531ebb4acea73a0d412a6af5f871aa7a16b06099051e6bb901d9841ea8187f64aadaa3

          Download Submit

        • C:\Users\Admin\AppData\Local\r8L3S7Kr\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit

        • C:\Users\Admin\AppData\Local\r8L3S7Kr\FVEWIZ.dll
          Filesize

          968KB

          MD5

          e49a9417b363a96ed32698f1a08f4d56

          SHA1

          051f16697ccab2c465ab4d711bd4e22dfd4170a0

          SHA256

          3fe62bcd6a550a9fb3d99d02eed486926b3715fa1fed23ba149bdca6e85b556b

          SHA512

          df90c343e4a22488260ff80ed242ad5ee1290a42518f061a9d48d256687dc660fee63d6831c4f208ae624c0aa433a6f8f3fb74133501ce2d935568c7d2625b4e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
          Filesize

          1KB

          MD5

          0253e5c3da492b254027cea8744588a8

          SHA1

          4b9a4c89f2f870b18cbf9a20f3d069f0ece69941

          SHA256

          3abeed39e79af2057c9e0b36be7f341847fd6424944f6899d2f9f77ff33f3bd0

          SHA512

          2b466a77d0eba9b30844e200fe92de68ba0f7ba06fc93697dafb83ee65f0975ef96bd9ebec1c126e6d580b630ed613547e5619a7e39d688916104cab63f2b30f

          Download Submit

        • \Users\Admin\AppData\Local\U1uf\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit

        • memory/1244-14-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-23-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-3-0x0000000076D96000-0x0000000076D97000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-13-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-12-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-11-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-24-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-10-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-8-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-26-0x0000000077030000-0x0000000077032000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-25-0x0000000077000000-0x0000000077002000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-36-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-35-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-45-0x0000000076D96000-0x0000000076D97000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-15-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-9-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-6-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1244-7-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2420-44-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2420-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2420-0-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2632-58-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2632-54-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2632-53-0x00000000000B0000-0x00000000000B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-91-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3052-70-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-71-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3052-75-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download